CVE-2026-20184 (CVSS 9.8) in Cisco Webex Services allowed unauthenticated attackers to impersonate any user through SSO certificate validation bypass. Cloud service already patched.
CISA added eight vulnerabilities to its KEV catalog including three Cisco Catalyst SD-WAN Manager flaws. Federal agencies face an April 23 deadline for the Cisco patches.
Attackers are distributing PlugX malware through phishing campaigns impersonating Anthropic's Claude AI. The fake installer abuses a legitimate G DATA binary for DLL sideloading.
CVE-2026-40575 (CVSS 9.1) allows unauthenticated attackers to bypass OAuth2 Proxy authentication via X-Forwarded-Uri header spoofing. Patch to v7.15.2 immediately.
Kaspersky exposes Lotus, a data wiper deployed against Venezuela's energy utilities in December 2025. The malware destroys recovery mechanisms and leaves systems unrecoverable.
ShinyHunters claims breach of Canada Life Assurance exposing 5.6 million Salesforce records with PII. Ransom deadline passed April 21, 2026—data leak threatened.
Google attributes the Axios npm supply chain attack to UNC1069, a North Korean threat actor. Malicious versions deployed WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.
CVE-2026-5965 in NewSoftOA enables unauthenticated OS command injection with CVSS 9.8. Local attackers can execute arbitrary commands and fully compromise systems.
CVE-2026-41329 lets attackers bypass OpenClaw's sandbox via heartbeat context manipulation, achieving privilege escalation. CVSS 9.9 demands immediate patching.
Attackers hijacked Seiko USA's website to post a ransom demand, claiming theft of customer data from the watchmaker's Shopify store. A 72-hour deadline was issued before public release.
Learn about ransomware, phishing, malware, and essential online safety practices.
Curated books, tools, and resources to deepen your cybersecurity knowledge.
Get the latest cybersecurity news delivered to your inbox.